Extracting prog: 2m22.387280187s
Minimizing prog: 32m44.838822448s
Simplifying prog options: 0s
Extracting C: 59.336047921s
Simplifying C: 6m15.371163194s


extracting reproducer from 30 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-bpf$MAP_CREATE-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$nl_route-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-syz_init_net_socket$bt_hci-bind$bt_hci-io_setup-setsockopt$SO_ATTACH_FILTER-io_submit-syz_usb_control_io$hid-syz_usb_control_io$hid-syz_open_dev$tty1-socket$unix-connect$unix-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-openat$selinux_member-write$selinux_access-creat-close-getpid-syz_pidfd_open-mount$9p_fd-setsockopt$inet_int-mprotect-socket$tipc
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="12010000000018105e04da0700000000000109022400010000000009040000090300000009210000000122220009058103"], 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="0900000004000000e27f000001"], 0x50)
r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f00000002c0)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r1, @ANYBLOB="000000eebc849e0000000000b7080000000000007b8af8ff00000000bfa200000000e8ff06020000f8ffffffb703000008000000b70400000000000085000000030000009500000000000000"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000040)='kmem_cache_free\x00', r2}, 0x10)
r3 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r3, 0x10e, 0xc, &(0x7f0000000040)={0x200000c0, 0xffffffff, 0xfffffff8}, 0x10)
sendmsg$nl_route(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)=ANY=[@ANYBLOB="2c0000001a00010029bd70000000000002202000000000000020000008001900ac1414bb05001a"], 0x2c}}, 0x0)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000280)={0x1f, 0xffff, 0x3}, 0x6)
io_setup(0x8f0, &(0x7f0000002400)=<r5=>0x0)
setsockopt$SO_ATTACH_FILTER(r4, 0x1, 0x1a, &(0x7f0000000080)={0x1, &(0x7f0000000040)=[{0x6}]}, 0x10)
io_submit(r5, 0x1, &(0x7f0000000340)=[&(0x7f0000000100)={0x2002000000, 0x4, 0x0, 0x1, 0x0, r4, &(0x7f0000000040)="0200ffff0000", 0x6, 0x0, 0x0, 0x2}])
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000000)={0x24, 0x0, 0x0, &(0x7f0000000140)=ANY=[@ANYBLOB="00222200000096231306e53f070c0000032a9000070100f3ff835ecdd531a624cdd5c15d75f95c451eccd2f4b3827f4f918d1aac7e1294a92f863ab028be32236c27866de537b9381ba58d1fd284c07d28ef9cfcba0ad01994ea356afaf499b8622a729857b53bcaa4ae7b2e03f997005ed15f5048708db94e114e910100a3ee24bb0178d4cbf81233313ef785bff506be04e825748afd3f3cd100b4eee2e7f2c82becb37f5f457cb14b0a5e0437b56049fb9ebc79053ad9c805fed732c89ee461a123f0cd2a5a3e5401"], 0x0}, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x3)
r6 = socket$unix(0x1, 0x1, 0x0)
connect$unix(r6, &(0x7f0000000080)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e)
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0xb, &(0x7f00000009c0)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000093850000007100000095"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0x4, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r7}, 0x10)
r8 = openat$selinux_member(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$selinux_access(r8, &(0x7f00000004c0)=ANY=[@ANYBLOB="73797374656d5f753a6f626a6563745f723a7570647077645f657865635f742073797374656d5f753a73797374656d5f723afaffffffffffffff3a73302030"], 0x56)
r9 = creat(&(0x7f0000000340)='./file0\x00', 0x28)
close(r9)
r10 = getpid()
r11 = syz_pidfd_open(r10, 0x0)
mount$9p_fd(0x0, &(0x7f0000000240)='./file0\x00', &(0x7f00000000c0), 0x0, &(0x7f0000000d80)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r9, @ANYBLOB=',wfdno=', @ANYRESHEX=r11])
setsockopt$inet_int(r9, 0x0, 0x7, &(0x7f0000000380)=0x9, 0x4)
mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1)
socket$tipc(0x1e, 0x2, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$BPF_PROG_TEST_RUN-close-bpf$PROG_LOAD-inotify_add_watch-rmdir-syz_clone-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000900)={0xffffffffffffffff, 0x18000000000002a0, 0xa, 0x0, &(0x7f0000000040)="76389e147583ddd0569b", 0x0, 0x1c00, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
close(r2)
bpf$PROG_LOAD(0x5, &(0x7f00000044c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0x0, 0x0, 0x0}, 0x94)
inotify_add_watch(0xffffffffffffffff, &(0x7f0000000180)='./control\x00', 0xa4000960)
rmdir(&(0x7f0000000100)='./control\x00')
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
single: successfully extracted reproducer
found reproducer with 16 syscalls
minimizing guilty program
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$BPF_PROG_TEST_RUN-close-bpf$PROG_LOAD-inotify_add_watch-rmdir-syz_clone-recvmmsg
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000900)={0xffffffffffffffff, 0x18000000000002a0, 0xa, 0x0, &(0x7f0000000040)="76389e147583ddd0569b", 0x0, 0x1c00, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
close(r2)
bpf$PROG_LOAD(0x5, &(0x7f00000044c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0x0, 0x0, 0x0}, 0x94)
inotify_add_watch(0xffffffffffffffff, &(0x7f0000000180)='./control\x00', 0xa4000960)
rmdir(&(0x7f0000000100)='./control\x00')
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$BPF_PROG_TEST_RUN-close-bpf$PROG_LOAD-inotify_add_watch-rmdir-syz_clone-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000900)={0xffffffffffffffff, 0x18000000000002a0, 0xa, 0x0, &(0x7f0000000040)="76389e147583ddd0569b", 0x0, 0x1c00, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
close(r2)
bpf$PROG_LOAD(0x5, &(0x7f00000044c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0x0, 0x0, 0x0}, 0x94)
inotify_add_watch(0xffffffffffffffff, &(0x7f0000000180)='./control\x00', 0xa4000960)
rmdir(&(0x7f0000000100)='./control\x00')
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$BPF_PROG_TEST_RUN-close-bpf$PROG_LOAD-inotify_add_watch-rmdir-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000900)={0xffffffffffffffff, 0x18000000000002a0, 0xa, 0x0, &(0x7f0000000040)="76389e147583ddd0569b", 0x0, 0x1c00, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
close(r2)
bpf$PROG_LOAD(0x5, &(0x7f00000044c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0x0, 0x0, 0x0}, 0x94)
inotify_add_watch(0xffffffffffffffff, &(0x7f0000000180)='./control\x00', 0xa4000960)
rmdir(&(0x7f0000000100)='./control\x00')
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$BPF_PROG_TEST_RUN-close-bpf$PROG_LOAD-inotify_add_watch-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000900)={0xffffffffffffffff, 0x18000000000002a0, 0xa, 0x0, &(0x7f0000000040)="76389e147583ddd0569b", 0x0, 0x1c00, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
close(r2)
bpf$PROG_LOAD(0x5, &(0x7f00000044c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0x0, 0x0, 0x0}, 0x94)
inotify_add_watch(0xffffffffffffffff, &(0x7f0000000180)='./control\x00', 0xa4000960)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$BPF_PROG_TEST_RUN-close-bpf$PROG_LOAD-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000900)={0xffffffffffffffff, 0x18000000000002a0, 0xa, 0x0, &(0x7f0000000040)="76389e147583ddd0569b", 0x0, 0x1c00, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
close(r2)
bpf$PROG_LOAD(0x5, &(0x7f00000044c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41, 0x0, 0x0, 0x0}, 0x94)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$BPF_PROG_TEST_RUN-close-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000900)={0xffffffffffffffff, 0x18000000000002a0, 0xa, 0x0, &(0x7f0000000040)="76389e147583ddd0569b", 0x0, 0x1c00, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
close(r2)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$BPF_PROG_TEST_RUN-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000900)={0xffffffffffffffff, 0x18000000000002a0, 0xa, 0x0, &(0x7f0000000040)="76389e147583ddd0569b", 0x0, 0x1c00, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-bpf$PROG_LOAD-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
bpf$PROG_LOAD(0x5, &(0x7f0000001d80)={0x11, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffff}, 0x94)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_usb_control_io-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-timer_create-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
r1 = gettid()
timer_create(0x6, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-gettid-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
gettid()
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
syz_usb_control_io(0xffffffffffffffff, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(0x0, 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, &(0x7f0000001e80)=[{{&(0x7f0000000340)=@l2tp6={0xa, 0x0, 0x0, @private2}, 0x80, &(0x7f00000007c0)=[{&(0x7f00000003c0)=""/13, 0xd}, {&(0x7f0000000400)=""/55, 0x37}, {&(0x7f00000004c0)=""/189, 0xbd}, {&(0x7f0000000580)=""/185, 0xb9}, {&(0x7f0000000680)=""/29, 0x1d}, {&(0x7f0000002340)=""/4096, 0x1000}], 0x6}, 0x3}, {{&(0x7f0000000840)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @local}, 0x80, &(0x7f0000000e40)=[{&(0x7f00000008c0)=""/119, 0x77}, {&(0x7f0000000940)=""/73, 0x49}, {&(0x7f0000000b00)=""/245, 0xf5}, {&(0x7f00000009c0)=""/69, 0x45}, {&(0x7f0000000c00)=""/186, 0xba}, {&(0x7f0000000cc0)=""/193, 0xc1}, {&(0x7f00000006c0)=""/15, 0xf}, {&(0x7f0000000dc0)=""/7, 0x7}], 0x8, &(0x7f0000000f00)=""/20, 0x14}, 0x10005}, {{&(0x7f0000000f80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @private2}}}, 0x80, &(0x7f0000001400)=[{&(0x7f0000000f00)}, {&(0x7f0000001000)=""/148, 0x94}, {&(0x7f00000010c0)=""/147, 0x93}, {&(0x7f0000001180)=""/209, 0xd1}, {&(0x7f0000001280)=""/97, 0x61}, {&(0x7f0000001300)=""/31, 0x1f}, {&(0x7f0000001340)=""/133, 0x85}], 0x7, &(0x7f0000001480)}, 0x80000000}, {{&(0x7f00000014c0)=@un=@abs, 0x80, &(0x7f0000001b40)=[{&(0x7f0000001540)=""/170, 0xaa}, {&(0x7f0000001600)=""/109, 0x6d}, {&(0x7f0000001680)=""/250, 0xfa}, {&(0x7f0000001780)=""/129, 0x81}, {&(0x7f0000003340)=""/4096, 0x1000}, {&(0x7f0000001900)=""/132, 0x84}, {&(0x7f0000004340)=""/71, 0x47}, {&(0x7f0000001a40)=""/203, 0xcb}], 0x8, &(0x7f0000001bc0)=""/94, 0x5e}, 0x8000}, {{&(0x7f0000001c40)=@pptp={0x18, 0x2, {0x0, @multicast1}}, 0x80, &(0x7f0000001840)=[{&(0x7f0000001cc0)=""/180, 0xa4}], 0x1, &(0x7f00000045c0)=""/211, 0xd3}, 0x2}], 0x5, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program did not crash
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x40000162, &(0x7f0000001fc0)={0x0, 0x3938700})
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x40000162, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xb, &(0x7f0000001880)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000200000850000007000000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffe14, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x40000162, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)

program crashed: KASAN: use-after-free Write in steam_input_open
extracting C reproducer
testing compiled C program (duration=45.496238148s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
program crashed: KASAN: use-after-free Write in steam_input_open
simplifying C reproducer
testing compiled C program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
program crashed: KASAN: use-after-free Write in steam_input_open
testing compiled C program (duration=45.496238148s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
program did not crash
testing compiled C program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
program did not crash
testing compiled C program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
program crashed: KASAN: use-after-free Write in steam_input_open
testing compiled C program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
program crashed: KASAN: use-after-free Write in steam_input_open
testing compiled C program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
program crashed: KASAN: use-after-free Write in steam_input_open
testing compiled C program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
program crashed: KASAN: use-after-free Write in steam_input_open
testing program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x40000162, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)

program crashed: KASAN: use-after-free Write in steam_input_open
validation run: crashed=true
testing program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x40000162, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)

program crashed: KASAN: use-after-free Write in steam_input_close
validation run: crashed=true
testing program (duration=45.496238148s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_open_dev$hidraw-recvmmsg-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000e00)=ANY=[@ANYBLOB="1201000000000040de28021100000000000109022400010000d00009040004010300000009210100f90122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000040)={0x2c, &(0x7f0000000200)=ANY=[@ANYBLOB="200b4000000028b1"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f0000002300), 0x0, 0x41402)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x40000162, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)

program crashed: KASAN: use-after-free Write in steam_input_open
validation run: crashed=true
reproducing took 45m25.885008937s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:1515 [inline]
BUG: KASAN: use-after-free in atomic_long_try_cmpxchg_acquire include/asm-generic/atomic-long.h:443 [inline]
BUG: KASAN: use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:173 [inline]
BUG: KASAN: use-after-free in mutex_lock+0x7f/0xe0 kernel/locking/mutex.c:298
Write of size 8 at addr ffff888112818040 by task udevd/423

CPU: 0 PID: 423 Comm: udevd Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/14/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x280/0x290 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic64_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:1515 [inline]
 atomic_long_try_cmpxchg_acquire include/asm-generic/atomic-long.h:443 [inline]
 __mutex_trylock_fast kernel/locking/mutex.c:173 [inline]
 mutex_lock+0x7f/0xe0 kernel/locking/mutex.c:298
 steam_input_open+0x91/0x160 drivers/hid/hid-steam.c:297
 input_open_device+0x14c/0x2a0 drivers/input/input.c:635
 evdev_open_device drivers/input/evdev.c:400 [inline]
 evdev_open+0x4d2/0x5e0 drivers/input/evdev.c:487
 chrdev_open+0x597/0x670 fs/char_dev.c:414
 do_dentry_open+0x793/0x1090 fs/open.c:819
 vfs_open+0x73/0x80 fs/open.c:942
 do_open fs/namei.c:3391 [inline]
 path_openat+0x27ad/0x3160 fs/namei.c:3509
 do_filp_open+0x1b3/0x3e0 fs/namei.c:3536
 do_sys_openat2+0x14c/0x6d0 fs/open.c:1217
 do_sys_open fs/open.c:1233 [inline]
 __do_sys_openat fs/open.c:1249 [inline]
 __se_sys_openat fs/open.c:1244 [inline]
 __x64_sys_openat+0x136/0x160 fs/open.c:1244
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f8e92001407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc312f9750 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f8e91f13880 RCX: 00007f8e92001407
RDX: 0000000000080000 RSI: 000055ef4816caf0 RDI: ffffffffffffff9c
RBP: 000055ef4817a340 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 000055ef465aa0c8
R13: 000055ef465aa0ce R14: 00007ffc312f9d50 R15: 000055ef465b0bcc

Allocated by task 0:
(stack is not available)

Freed by task 375:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4a/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x125/0x160 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
 kasan_slab_free include/linux/kasan.h:220 [inline]
 slab_free_hook mm/slub.c:1600 [inline]
 slab_free_freelist_hook+0xc5/0x190 mm/slub.c:1626
 slab_free mm/slub.c:3208 [inline]
 kfree+0xc0/0x270 mm/slub.c:4196
 release_nodes+0x753/0x7d0 drivers/base/devres.c:524
 devres_release_all+0x7c/0xa0 drivers/base/devres.c:545
 __device_release_driver drivers/base/dd.c:1190 [inline]
 device_release_driver_internal+0x4cb/0x750 drivers/base/dd.c:1221
 device_release_driver+0x19/0x20 drivers/base/dd.c:1244
 bus_remove_device+0x2dd/0x340 drivers/base/bus.c:535
 device_del+0x696/0xed0 drivers/base/core.c:3452
 hid_remove_device drivers/hid/hid-core.c:2512 [inline]
 hid_destroy_device+0x6a/0x110 drivers/hid/hid-core.c:2531
 usbhid_disconnect+0x9f/0xc0 drivers/hid/usbhid/hid-core.c:1448
 usb_unbind_interface+0x212/0x8c0 drivers/usb/core/driver.c:459
 __device_release_driver drivers/base/dd.c:-1 [inline]
 device_release_driver_internal+0x4bc/0x750 drivers/base/dd.c:1221
 device_release_driver+0x19/0x20 drivers/base/dd.c:1244
 bus_remove_device+0x2dd/0x340 drivers/base/bus.c:535
 device_del+0x696/0xed0 drivers/base/core.c:3452
 usb_disable_device+0x3a8/0x750 drivers/usb/core/message.c:1411
 usb_disconnect+0x31e/0x850 drivers/usb/core/hub.c:2310
 hub_port_connect drivers/usb/core/hub.c:5338 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5639 [inline]
 port_event drivers/usb/core/hub.c:5805 [inline]
 hub_event+0x1a88/0x42c0 drivers/usb/core/hub.c:5887
 process_one_work+0x6e1/0xba0 kernel/workqueue.c:2301
 process_scheduled_works kernel/workqueue.c:2363 [inline]
 worker_thread+0xd56/0x13b0 kernel/workqueue.c:2449
 kthread+0x346/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

The buggy address belongs to the object at ffff888112818000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 64 bytes inside of
 512-byte region [ffff888112818000, ffff888112818200)
The buggy address belongs to the page:
page:ffffea00044a0600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112818
head:ffffea00044a0600 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 379, ts 45725192236, free_ts 43686699391
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x179/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2235/0x23d0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x268/0x5f0 mm/page_alloc.c:5370
 alloc_slab_page mm/slub.c:-1 [inline]
 allocate_slab mm/slub.c:1813 [inline]
 new_slab+0x84/0x3f0 mm/slub.c:1874
 new_slab_objects mm/slub.c:2632 [inline]
 ___slab_alloc+0x2a6/0x450 mm/slub.c:2796
 __slab_alloc+0x63/0xa0 mm/slub.c:2836
 slab_alloc_node mm/slub.c:2918 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 __kmalloc_track_caller+0x1ef/0x320 mm/slub.c:4541
 __kmalloc_reserve net/core/skbuff.c:144 [inline]
 __alloc_skb+0xdc/0x520 net/core/skbuff.c:212
 alloc_skb include/linux/skbuff.h:1126 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 inet6_ifa_notify net/ipv6/addrconf.c:5526 [inline]
 __ipv6_ifa_notify+0x1e8/0xdb0 net/ipv6/addrconf.c:6149
 ipv6_ifa_notify net/ipv6/addrconf.c:6202 [inline]
 addrconf_dad_completed+0x183/0xe80 net/ipv6/addrconf.c:4248
 addrconf_dad_work+0xc18/0x1410 net/ipv6/addrconf.c:-1
 process_one_work+0x6e1/0xba0 kernel/workqueue.c:2301
 worker_thread+0xa6a/0x13b0 kernel/workqueue.c:2447
 kthread+0x346/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 __free_pages_ok+0x7fc/0x820 mm/page_alloc.c:1629
 free_the_page mm/page_alloc.c:5431 [inline]
 __free_pages+0xdd/0x380 mm/page_alloc.c:5440
 __free_slab+0xcf/0x190 mm/slub.c:1899
 free_slab mm/slub.c:1914 [inline]
 discard_slab mm/slub.c:1920 [inline]
 unfreeze_partials+0x15f/0x190 mm/slub.c:2415
 put_cpu_partial+0xc1/0x180 mm/slub.c:2451
 __slab_free+0x2c9/0x3a0 mm/slub.c:3100
 do_slab_free mm/slub.c:3196 [inline]
 ___cache_free+0x111/0x130 mm/slub.c:3215
 qlink_free+0x50/0x90 mm/kasan/quarantine.c:157
 qlist_free_all+0x5f/0xb0 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x14a/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xf0 mm/kasan/common.c:440
 kasan_slab_alloc include/linux/kasan.h:244 [inline]
 slab_post_alloc_hook+0x5d/0x2f0 mm/slab.h:580
 slab_alloc_node mm/slub.c:2952 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 kmem_cache_alloc+0x165/0x2e0 mm/slub.c:2965
 kmem_cache_alloc_node include/linux/slab.h:423 [inline]
 __alloc_skb+0x9e/0x520 net/core/skbuff.c:200
 alloc_skb include/linux/skbuff.h:1126 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 rtmsg_ifa+0xfa/0x1d0 net/ipv4/devinet.c:1927
 __inet_del_ifa+0x80b/0xd90 net/ipv4/devinet.c:441

Memory state around the buggy address:
 ffff888112817f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888112817f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888112818000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888112818080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888112818100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:1515 [inline]
BUG: KASAN: use-after-free in atomic_long_try_cmpxchg_acquire include/asm-generic/atomic-long.h:443 [inline]
BUG: KASAN: use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:173 [inline]
BUG: KASAN: use-after-free in mutex_lock+0x7f/0xe0 kernel/locking/mutex.c:298
Write of size 8 at addr ffff888112818040 by task udevd/423

CPU: 0 PID: 423 Comm: udevd Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/14/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x280/0x290 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic64_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:1515 [inline]
 atomic_long_try_cmpxchg_acquire include/asm-generic/atomic-long.h:443 [inline]
 __mutex_trylock_fast kernel/locking/mutex.c:173 [inline]
 mutex_lock+0x7f/0xe0 kernel/locking/mutex.c:298
 steam_input_open+0x91/0x160 drivers/hid/hid-steam.c:297
 input_open_device+0x14c/0x2a0 drivers/input/input.c:635
 evdev_open_device drivers/input/evdev.c:400 [inline]
 evdev_open+0x4d2/0x5e0 drivers/input/evdev.c:487
 chrdev_open+0x597/0x670 fs/char_dev.c:414
 do_dentry_open+0x793/0x1090 fs/open.c:819
 vfs_open+0x73/0x80 fs/open.c:942
 do_open fs/namei.c:3391 [inline]
 path_openat+0x27ad/0x3160 fs/namei.c:3509
 do_filp_open+0x1b3/0x3e0 fs/namei.c:3536
 do_sys_openat2+0x14c/0x6d0 fs/open.c:1217
 do_sys_open fs/open.c:1233 [inline]
 __do_sys_openat fs/open.c:1249 [inline]
 __se_sys_openat fs/open.c:1244 [inline]
 __x64_sys_openat+0x136/0x160 fs/open.c:1244
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f8e92001407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc312f9750 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f8e91f13880 RCX: 00007f8e92001407
RDX: 0000000000080000 RSI: 000055ef4816caf0 RDI: ffffffffffffff9c
RBP: 000055ef4817a340 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 000055ef465aa0c8
R13: 000055ef465aa0ce R14: 00007ffc312f9d50 R15: 000055ef465b0bcc

Allocated by task 0:
(stack is not available)

Freed by task 375:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4a/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x125/0x160 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
 kasan_slab_free include/linux/kasan.h:220 [inline]
 slab_free_hook mm/slub.c:1600 [inline]
 slab_free_freelist_hook+0xc5/0x190 mm/slub.c:1626
 slab_free mm/slub.c:3208 [inline]
 kfree+0xc0/0x270 mm/slub.c:4196
 release_nodes+0x753/0x7d0 drivers/base/devres.c:524
 devres_release_all+0x7c/0xa0 drivers/base/devres.c:545
 __device_release_driver drivers/base/dd.c:1190 [inline]
 device_release_driver_internal+0x4cb/0x750 drivers/base/dd.c:1221
 device_release_driver+0x19/0x20 drivers/base/dd.c:1244
 bus_remove_device+0x2dd/0x340 drivers/base/bus.c:535
 device_del+0x696/0xed0 drivers/base/core.c:3452
 hid_remove_device drivers/hid/hid-core.c:2512 [inline]
 hid_destroy_device+0x6a/0x110 drivers/hid/hid-core.c:2531
 usbhid_disconnect+0x9f/0xc0 drivers/hid/usbhid/hid-core.c:1448
 usb_unbind_interface+0x212/0x8c0 drivers/usb/core/driver.c:459
 __device_release_driver drivers/base/dd.c:-1 [inline]
 device_release_driver_internal+0x4bc/0x750 drivers/base/dd.c:1221
 device_release_driver+0x19/0x20 drivers/base/dd.c:1244
 bus_remove_device+0x2dd/0x340 drivers/base/bus.c:535
 device_del+0x696/0xed0 drivers/base/core.c:3452
 usb_disable_device+0x3a8/0x750 drivers/usb/core/message.c:1411
 usb_disconnect+0x31e/0x850 drivers/usb/core/hub.c:2310
 hub_port_connect drivers/usb/core/hub.c:5338 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5639 [inline]
 port_event drivers/usb/core/hub.c:5805 [inline]
 hub_event+0x1a88/0x42c0 drivers/usb/core/hub.c:5887
 process_one_work+0x6e1/0xba0 kernel/workqueue.c:2301
 process_scheduled_works kernel/workqueue.c:2363 [inline]
 worker_thread+0xd56/0x13b0 kernel/workqueue.c:2449
 kthread+0x346/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

The buggy address belongs to the object at ffff888112818000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 64 bytes inside of
 512-byte region [ffff888112818000, ffff888112818200)
The buggy address belongs to the page:
page:ffffea00044a0600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112818
head:ffffea00044a0600 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 379, ts 45725192236, free_ts 43686699391
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x179/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2235/0x23d0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x268/0x5f0 mm/page_alloc.c:5370
 alloc_slab_page mm/slub.c:-1 [inline]
 allocate_slab mm/slub.c:1813 [inline]
 new_slab+0x84/0x3f0 mm/slub.c:1874
 new_slab_objects mm/slub.c:2632 [inline]
 ___slab_alloc+0x2a6/0x450 mm/slub.c:2796
 __slab_alloc+0x63/0xa0 mm/slub.c:2836
 slab_alloc_node mm/slub.c:2918 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 __kmalloc_track_caller+0x1ef/0x320 mm/slub.c:4541
 __kmalloc_reserve net/core/skbuff.c:144 [inline]
 __alloc_skb+0xdc/0x520 net/core/skbuff.c:212
 alloc_skb include/linux/skbuff.h:1126 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 inet6_ifa_notify net/ipv6/addrconf.c:5526 [inline]
 __ipv6_ifa_notify+0x1e8/0xdb0 net/ipv6/addrconf.c:6149
 ipv6_ifa_notify net/ipv6/addrconf.c:6202 [inline]
 addrconf_dad_completed+0x183/0xe80 net/ipv6/addrconf.c:4248
 addrconf_dad_work+0xc18/0x1410 net/ipv6/addrconf.c:-1
 process_one_work+0x6e1/0xba0 kernel/workqueue.c:2301
 worker_thread+0xa6a/0x13b0 kernel/workqueue.c:2447
 kthread+0x346/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 __free_pages_ok+0x7fc/0x820 mm/page_alloc.c:1629
 free_the_page mm/page_alloc.c:5431 [inline]
 __free_pages+0xdd/0x380 mm/page_alloc.c:5440
 __free_slab+0xcf/0x190 mm/slub.c:1899
 free_slab mm/slub.c:1914 [inline]
 discard_slab mm/slub.c:1920 [inline]
 unfreeze_partials+0x15f/0x190 mm/slub.c:2415
 put_cpu_partial+0xc1/0x180 mm/slub.c:2451
 __slab_free+0x2c9/0x3a0 mm/slub.c:3100
 do_slab_free mm/slub.c:3196 [inline]
 ___cache_free+0x111/0x130 mm/slub.c:3215
 qlink_free+0x50/0x90 mm/kasan/quarantine.c:157
 qlist_free_all+0x5f/0xb0 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x14a/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xf0 mm/kasan/common.c:440
 kasan_slab_alloc include/linux/kasan.h:244 [inline]
 slab_post_alloc_hook+0x5d/0x2f0 mm/slab.h:580
 slab_alloc_node mm/slub.c:2952 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 kmem_cache_alloc+0x165/0x2e0 mm/slub.c:2965
 kmem_cache_alloc_node include/linux/slab.h:423 [inline]
 __alloc_skb+0x9e/0x520 net/core/skbuff.c:200
 alloc_skb include/linux/skbuff.h:1126 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 rtmsg_ifa+0xfa/0x1d0 net/ipv4/devinet.c:1927
 __inet_del_ifa+0x80b/0xd90 net/ipv4/devinet.c:441

Memory state around the buggy address:
 ffff888112817f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888112817f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888112818000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888112818080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888112818100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read
hid 0003:28DE:1102.0005: No HID_FEATURE_REPORT submitted -  nothing to read